Managing users and permissions

Security and access control is a very important aspect of any infrastructure. MetalSoft uses two concepts for permission management:

  • RBAC for admin operations
  • Delegation for user operations

User accounts

Users that interact with the MetalCloud must have an “account” identified by email and password, API key and - if enabled - protected by 2FA. Accounts can also be created in an external ID provider such as Active Directory, Okta, Auth0. MetalSoft supports LDAP, SAML and Oauth2.

Role based access control (RBAC)

MetalSoft accounts all have a Role associated with them. Roles are then associated with permissions that enable or disable certain features of MetalSoft. The list is constantly changing, checkout the

MetalSoft provides several built-in roles that cannot be edited:

  • Root - highest level.
  • Full Admin - Similar to Root but cannot put the system into maintenance and cannot edit prices
  • Basic Admin - Primarily read only across all admin resources
  • User - Access only to infrastructures and the user interface

Custom roles can also be created. In general, the permissions follow the Admin UI providing with read and write to the respective resources. For example the workflow_read will allow a read-only view of the Workflows section. Having workflow_write will allow you to edit the workflows.

The following is the current list of permissions:

  • admin_access - Allows access to the admin interface
  • datacenter_read - Datacenter Read
  • datacenter_write - Datacenter Write
  • servers_read - Servers Read
  • servers_write - Servers Write
  • server_types_read - Server Types Read
  • server_type_utilization_report_read - Server Type Utilization Report Read
  • switches_read - Switches Read
  • switches_write - Switches Write
  • storage_read - Storage Read
  • storage_write - Storage Write
  • subnets_read - Subnets Read
  • subnets_write - Subnets Write
  • infrastructures_read - Infrastructures Read
  • infrastructures_write - Infrastructures Write
  • templates_read - Templates Read
  • templates_write - Templates Write
  • events_read - Events Read
  • events_write - Events Write
  • job_queue_read - Job Queue Read
  • job_queue_write - Job Queue Write
  • workflows_read - Workflows Read
  • workflows_write - Workflows Write
  • variables_and_secrets_read - Variables and Secrets Read
  • variables_and_secrets_write - Variables and Secrets Write
  • firmware_upgrade_read - Firmware Upgrade Read
  • firmware_upgrade_write - Firmware Upgrade Write
  • users_and_permissions_read - Users and Permissions Read
  • users_and_permissions_write - Users and Permissions Write
  • prices_read - Prices Read
  • prices_write - Prices Write
  • licenses_read - Licenses Read
  • licenses_write - Licenses Write
  • subscriptions_read - Subscriptions Read
  • subscriptions_write - Subscriptions Write
  • utilization_reports_read - Utilization Reports Read
  • suspend_reasons_read - Suspend Reasons Read
  • suspend_reasons_write - Suspend Reasons Write
  • cluster_read - Cluster Read
  • cluster_write - Cluster Write
  • container_platform_read - Container Platform Read
  • container_platform_write - Container Platform Write
  • datalake_read - Datalake Read
  • datalake_write - Datalake Write
  • dataset_read - Dataset Read
  • dataset_write - Dataset Write
  • cloudinit_read - CloudInit Read
  • cloudinit_write - CloudInit Write
  • datastore_read - Datastore Read
  • datastore_write - Datastore Write
  • maintenance_read - Maintenance Read
  • maintenance_write - Maintenance Write
  • admin_maintenance_read - Admin Maintenance Read
  • admin_maintenance_write - Admin Maintenance Write
  • skip_user_limits - Permission to be set on role when user utilization limits should not be checked by the system.
  • skip_authenticator - Permission to be set on role if 2FA authentication is optional.
  • monitoring_agent_read - Monitoring Agent Read
  • monitoring_agent_write - Monitoring Agent Write
  • emails_write - Emails Write
  • resources_write - Resources Write
  • franchises_write - Franchises Write
  • threshold_write - Threshold Write
  • threshold_read - Threshold Read
  • metalcloud_access - Default permission for user role
  • network_profiles_write - Network Profiles Write
  • global_configurations_write - Global Configurations Write
  • global_configurations_read - Global Configurations Read

Resource ownership

Many resources have an owner associated with them. In that case some resources (such as OS templates and Workflows) will not be visible to the other admins until they are published. This is controlled by a property called visibility. Set the visibility to ‘public’ to share the resource with other users.

The “Billable” account

Only infrastructures that are owned by a “Billable” account can be deployed. Normally in an organization only one account will have Billing activated such as by adding a credit card. This flag can also be used by an external Billing system to determine who needs to be invoiced.

Credentials access - DEPRECATED

All credentials in MetalSoft are encrypted. A special set of permissions are needed to allow an account access to the various credentials for equipment or client instances. Use the Users & Permissions//Credentials Access section to enable or disable access to certain credentials.

Note that in future versions of our software this feature will be combined with the RBAC feature and normal permissions will be created.

User limits

Accounts also have various limits associated with them such as the maximum number of servers an account can provision. These are added to prevent abuse or Denial-of-Service type attacks. Use the Users & Permissions//Limits section to change these limits.

Delegation

  • Account delegate of another user
  • Infrastructure delegate

Example scenario

To help understand delegation consider consider the following scenario:

  1. A billing account (finance@company.com) is created using an email that will reach the department in charge with paying the invoices. The department will not actually manage infrastructures but will receive invoices.
  2. An OPS account (ops@company.com) is added by the finance department as an account delegate of the finance account.
  3. The ops account is now able to create infrastructures: A Web Infrastructure for the marketing department, a Hadoop infrastructure for the BI department and an ERP infrastructure for the Logistics department
  4. The Ops user then invites user mktg@company.com form the marketing department to the Web infrastructure using infrastructure delegation.
  5. The Ops user also invites user logistics@company.com form the logistics department to the ERP infrastructure using infrastructure delegation.
  6. Lastly, the Ops user invites user bi@company.com form the BI department to the Hadoop and the ERP infrastructures using infrastructure delegation.

../../_images/managing_users_and_permissions_1.svg

The result of this setup is that:

  • OPS has the ability to oversee and manage all infrastructures
  • Marketing and logistics departments each manage their own infrastructures only
  • BI team has access to it’s infrastructure (the hadoop infrastructure) but also to the ERP infrastructure
  • The Finance team then receives invoices for all infrastructures.
  • The detailed infrastructure utilization report will provide a breakdown of consumption for each individual department which enables charge-back to the respective departments.

Managing account delegation

Many organizations opt to have a finance/procurement department user as the billable user and have a second user as the technical user that actually performs operations “on-behalf-of” the organization. This relationship is called “account delegation”.

If enabled this second user will have all rights that the owner of the infrastructures has.

Any number of users can be account delegates.

To add an account delegate access Account Settings (Infrastructure Editor > Account Settings)

../../_images/managing_users_and_permissions_2.png

Click on Account sharing (Infrastructure Editor > Account Settings > Account Sharing)

../../_images/managing_users_and_permissions_3.png

Add the email address of the delegated user that the user uses to login to manage the Metalcloud.

../../_images/managing_users_and_permissions_4.png

As a delegated account, from this page you can also Impersonate a user in order to perform payments or change credit card information on his/hers behalf.

This mechanism can be used if the primary account is a technical one somebody else needs to perform manual payment, download invoices etc.

Managing infrastructure delegation

A user can be “invited” by an owner or account delegate of an infrastructure to have access only to that respective infrastructure. This is used in situations where internal users or clients of a company reselling MetalCloud services need to have access to a specific infrastructure.

Users will have full access to manage that infrastructure but the billable account that is the owner of the infrastructure will receive the invoices.

To add a delegate on an infrastructure access the Infrastructure properties dialog by clicking the the cogwheel:

../../_images/managing_users_and_permissions_5.png

Click on the Sharing tab and enter the login email of the user that is to be granted permissions. The user will receive an invite email on that address.

../../_images/managing_users_and_permissions_6.png

If the user doesn’t have a MetalCloud account he will be invited to create one but no CC information will be required.

Where to go from here: